From: Joshua Lock <joshua.g.lock@linux.intel.com>
To: Chen Qi <Qi.Chen@windriver.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs
Date: Tue, 09 May 2017 10:17:28 +0100 [thread overview]
Message-ID: <1494321448.10021.1.camel@linux.intel.com> (raw)
In-Reply-To: <ecb02fcc0cbe4c1ea8967c80b9d1e6d14586ed2e.1494321164.git.Qi.Chen@windriver.com>
On Tue, 2017-05-09 at 17:13 +0800, Chen Qi wrote:
> When warning users about unpatched CVE, we'd better put CVE IDs into
> the warning message, so that it would be more straight forward for
> the
> user to know which CVEs are not patched.
>
> So instead of:
> WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for
> more information check /path/to/workdir/cve/cve.log.
> We should have:
> WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-
> 2017-7869), for more information check /path/to/workdir/cve/cve.log.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> meta/classes/cve-check.bbclass | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> check.bbclass
> index 0e4294f..496d744 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched,
> cve_data):
> cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
> nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
> write_string = ""
> - first_alert = True
> + has_unpatched_cve = False
> + unpatched_cves = []
> bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
>
> for cve in sorted(cve_data):
> @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched,
> cve_data):
> if cve in patched:
> write_string += "CVE STATUS: Patched\n"
> else:
> + unpatched_cves.append(cve)
> write_string += "CVE STATUS: Unpatched\n"
> - if first_alert:
> - bb.warn("Found unpatched CVE, for more information
> check %s" % cve_file)
> - first_alert = False
> + has_unpatched_cve = True
> write_string += "CVE SUMMARY: %s\n" %
> cve_data[cve]["summary"]
> write_string += "CVSS v2 BASE SCORE: %s\n" %
> cve_data[cve]["score"]
> write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
> write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
> cve)
>
> + if has_unpatched_cve:
There's no need for the has_unpatched_cve variable, you can just test
whether the unpatched_cves list is empty:
>>> foo = []
>>> bar = [1, 2, 3]
>>> if foo:
... print("foo")
...
>>> if bar:
... print("bar")
...
bar
Your conditional can just be:
+ if unpatched_cve:
> + bb.warn("Found unpatched CVE (%s), for more information
> check %s" % (" ".join(unpatched_cves),cve_file))
> +
> with open(cve_file, "w") as f:
> bb.note("Writing file %s with CVE information" % cve_file)
> f.write(write_string)
> --
> 1.9.1
>
next prev parent reply other threads:[~2017-05-09 9:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-09 9:13 [PATCH 0/1] cve-check.bbclass: make warning contain CVE IDs Chen Qi
2017-05-09 9:13 ` [PATCH 1/1] " Chen Qi
2017-05-09 9:17 ` Joshua Lock [this message]
2017-05-09 9:25 ` ChenQi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1494321448.10021.1.camel@linux.intel.com \
--to=joshua.g.lock@linux.intel.com \
--cc=Qi.Chen@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox